image
Researchers have identified new MacOS malware that can execute remote code in memory that they believe is the work of the powerful North Korean APT group Lazarus, they said Thursday. Security researcher Dinesh Devadoss on Twitter posted a hash for a MacOS trojan he discovered that hides behind a fake crypto trading platform called Union Crypto Trader and can elude detection by most anti-virus software. After Devadoss posted about his discovery, security researcher and MacOS hacker Patrick Wardle took a deeper dive into the malware, noting that the delivery method of the trojan—through a crypto-currency installer package, UnionCryptoTrader.pkg–seems an obvious sign of Lazarus involvement. “Lazarus Group has a propensity for targeting users or administrators of crypto-currency exchanges,” he wrote in a blog post. “And their de facto method of infecting such targets is via fake crypto-currency company and trading applications.” Indeed, the newly discovered attack follows this pattern, with the installer being hosted on a website called “unioncrypto.vip” that advertises a “smart cryptocurrency arbitrage trading platform” but provides no download links, according to one report about the malware. Cryptocurrency is just one key area of activity for Lazarus, a group sponsored by the government of North Korean that already was seen earlier this year mounting a broad cyber-criminal campaign against the cryptocurrency business. The active and dangerous APT group also is believed to…

Source

image
U.S. data center provider CyrusOne has been hit by a ransomware attack, which has impacted six of its managed services customers, a report has found. CyrusOne, which is based in Texas and is one of the biggest data center providers in the U.S., serves more than 185 of Fortune 1000 customers worldwide. The ransomware attack, first reported Thursday by ZDNet, took place Wednesday and created availability issues for six of CyrusOne’s managed services customers that are located in its New York data center, including financial and brokerage company FIA Tech. “Our data center colocation services, including IX and IP Network Services, are not involved in this incident,” CyrusOne told ZDNet. “Our investigation is ongoing and we are working closely with third-party experts to address this matter.” According to the report, the attack infected the data-center provider with the REvil (Sodinokibi) ransomware, a popular malware that has been used in other high-profile ransomware attacks, including one in August that hit 22 Texas local governments in what Texas officials said was part of a targeted attack launched by a single threat actor. A ransom note reportedly told the company that its files are encrypted and a ransom must be paid in order for them to be decrypted. ZDNet reported that CyrusOne does not intend on paying the ransom. CyrusOne did not respond to a request for comment from Threatpost. Security experts for their part said that data centers are a lucrative target for…

Source

image
KrebsOnSecurity ran a story this week that puzzled over Apple's response to inquiries about a potential privacy leak in its new iPhone 11 line, in which the devices appear to intermittently seek the user's location even when all applications and system services are individually set never to request this data. Today, Apple disclosed that this behavior is tied to the inclusion of a short-range technology that lets iPhone 11 users share files locally with other nearby phones that support this feature, and that a future version of its mobile operating system will allow users to disable it. I published Tuesday's story mainly because Apple's initial and somewhat dismissive response — that this was expected behavior and not a bug — was at odds with its own privacy policy and with its recent commercials stating that customers should be in full control over what they share via their phones and what their phones share about them. But in a statement provided today, Apple said the location beaconing I documented in a video was related to Ultra Wideband technology that "provides spatial awareness allowing iPhone to understand its position relative to other Ultra Wideband enabled devices (i.e. all new iPhone 11s, including the Pro and Pro Max). Ultra-wideband (a.k.a UWB) is a radio technology that uses a very low energy level for short-range, high-bandwidth communications of a large portion of the radio spectrum without interfering with more conventional transmissions. "So users can…

Source

image
Hundreds of thousands of mobile phone bills for AT&T, Verizon and T-Mobile subscribers have been laid open to anyone with an internet connection, thanks to the oversight of a contractor working with Sprint. According to a media investigation, the contractor misconfigured a cloud storage bucket on Amazon Web Services (AWS), in which more than 261,300 documents were stored – mainly cell phone bills from Sprint customers who switched from other carriers. Cell phone bills are a treasure trove of data, and include names, addresses and phone numbers along with spending histories and in many cases, call and text message records. In this case, some of the bills date back to 2015; it’s unclear how long the bucket was exposed. Also, some of the records were ancillary materials, such as bank statements and screenshots web pages containing subscribers’ online usernames, passwords and account PINs. Fidus Information Security first uncovered the open database and, unsure of who it belonged to, alerted AWS. The database was subsequently closed off from the open web. In an investigation, TechCrunch reviewed the cache and found the bucket to belong to Deardorff Communications, a marketing agency that works with Sprint; Deardorff acknowledged the incident and said that there would be an internal investigation and a review of its policies and procedures. A Sprint spokesperson said that the company was “assured that the error has been corrected.” Cloud misconfigurations that expose sensitive…

Source

image
U.S. authorities are offering up $5 million for information leading to the arrest of Evil Corp. leader Maksim V. Yakubets, 32, of Russia, who goes under the moniker “aqua.” The U.S. alleges that Yakubets and his company have stolen millions of dollars from victims using the Dridex banking trojan and Zeus malware. Separately, the U.S. Treasury Department on Thursday issued sanctions against Evil Corp, “as part of a sweeping action against one of the world’s most prolific cybercriminal organizations.” The $5 million is the largest such reward offer for a cybercriminal to date. “Maksim Yakubets allegedly has engaged in a decade-long cybercrime spree that deployed two of the most damaging pieces of financial malware ever used and resulted in tens of millions of dollars of losses to victims worldwide,” said Assistant Attorney General Benczkowski in a statement, Thursday. “These two cases demonstrate our commitment to unmasking the perpetrators behind the world’s most egregious cyberattacks. The assistance of our international partners, in particular the National Crime Agency of the United Kingdom, was crucial to our efforts to identify Yakubets and his co-conspirators.” The indictment, which also charges a second Evil Corp. member, Igor Turashev, 38, alleges Yakubets was the leader the cybercrime gang and oversaw the development and distribution of the Dridex malware and botnet. Since its first appearance in 2012, banking trojan Dridex (also known as Bugat and Cridex) has been…

Source

image
HackerOne has paid out $20,000 after a high-severity vulnerability was discovered in the bug-bounty platform. The flaw allowed an outside bounty hunter to access customers’ reports and other sensitive information. Disclosed this week in a HackerOne report, the security incident stemmed from a session cookie that was exposed via human error, during an interaction between a HackerOne staff member and a bug-bounty hunter under the alias “haxta4ok00.” The session cookie was revoked by HackerOne two hours after it was shared. “HackerOne triages incoming reports for HackerOne’s own bug-bounty program,” according to HackerOne’s report. “On November 24, 2019, a [HackerOne] security analyst tried to reproduce a submission to HackerOne’s program, which failed. The security analyst replied to the hacker, accidentally including one of their own valid session cookies.” Session cookies are tied to a particular application (in this case, hackerone.com), and won’t block access when a session cookie gets reused in another location. That means that all platform features were available, as well as a number of customer reports that were supported by the HackerOne representative involved in this incident. “In this particular case, parts of a cURL command, copied from a browser console, were not removed before posting it to the report, disclosing the session cookie,” according to HackerOne. HackerOne Report Also as part of this, the hacker was able to access a number of reports from…

Source

image
An authentication bypass and three local privilege-escalation (LPE) bugs have been uncovered in OpenBSD, the Unix-like open-source operating system known for its security protections. The most severe of the vulnerabilities is the bypass (CVE-2019-19521), which is remotely exploitable. OpenBSD uses BSD authentication, which enables the use of passwords, S/Key challenge-and-response authentication and Yubico YubiKey tokens. In each of these cases, to perform the authentication, the string “/usr/libexec/auth/login_style [-v name=value] [-s service] username class” is used. If an attacker specifies the username “-schallenge” (or “-schallenge:passwd,” the authentication is automatically successful and therefore bypassed. That said, “Its real-world impact should be studied on a case-by-case basis,” said Qualys, the research firm that found the bugs, in an advisory issued this week. “For example, sshd is not exploitable thanks to its defense-in-depth mechanisms.” The other bugs include CVE-2019-19520, which allows LPE via xlock, which refuses all new server connections until a user enters a password at the keyboard; CVE-2019-19522, which allows LPE via the aforementioned authentication mechanisms S/Key and YubiKey; and CVE-2019-19519, which allows LPE via su. The first bug exists because, “/usr/X11R6/bin/xlock is installed by default and is set-group-ID ‘auth,’ not set-user-ID, which leaves an incomplete check,” Qualys explained. “A local attacker can exploit this vulnerability…

Source

image
Hackers pulled off an elaborate man-in-the-middle campaign to rip off an Israeli startup by intercepting a wire transfer from a Chinese venture-capital firm intended for the new business. New research by Check Point Software details how the security vendor uncovered the wire-transfer heist, in which an attacker used unique tactics—including communicating through email and even canceling a critical in-person meeting–to fool both parties on either end of the transfer, researchers said. Check Point became involved in the incident when a $1 million wire-transfer made between the two parties never reached the startup, researchers said in a report posted online Thursday. Typically in this type of cybercrime, a criminal will keep track of emails between the two parties arranging a wire transfer by creating an auto-forwarding rule to intercept them. In this case, the attacker went a above and beyond this, registering two new lookalike domains to get more closely involved in the action, researchers said. Check Point researchers collected and analyzed the available logs, e-mails and PCs involved in the transfer, they said. What they discovered was that it was obvious upon examining the emails involved in the transfer that something was amiss, observing the activity between the lookalike domains and the two companies. “The first domain was essentially the same as the Israeli startup domain, but with an additional ‘s’ added to the end of the domain name,” researchers wrote. “The…

Source

image
While APT activity is generally considered to be aimed at large enterprises housing valuable intellectual property, military-industrial entities, dissidents and civil society, and organizations of strategic importance to governments, the vast majority of small- and medium-sized businesses (SMBs) are concerned that they may be on the target list. A full 93 percent of all SMB executives in a recent survey from AppRiver believe that nation-state-backed attackers are attempting to use businesses like theirs to breach the country’s digital security. And, this already-high figure jumps to 97 percent among larger SMBs with 150–250 employees. The reasoning goes that APTs see SMBs as entry points into a supply chain through which they can access larger game. Overall, two-thirds (66 percent) of SMB execs (and three quarters or 76 percent of execs at larger SMBs) also believe that foreign attempts to breach national security or wage cyberwar will be more severe next year in the run up to the presidential election. SMBs operating in specific verticals – government, healthcare and pharmaceutical, technology and telecom, and transportation and logistics – are the most concerned about these kinds of attacks, the data shows. “It is possible that as a small business grows, it could become a more likely target for bad actors,” according to the report. “It is also possible that small businesses with cloud-based services with built-in security and fewer employees have fewer vulnerable attack…

Source

image
Hospital network Nebraska Medicine has disclosed a data breach after a former employee accessed sensitive patient data – including medical records and Social Security numbers. The Nebraska Medicine network encompasses Nebraska’s largest hospital, Nebraska Medical Center, as well as other locations like Bellevue Medical Center. On Oct. 1, during an audit of its electronic medical record system, Nebraska Medicine discovered that an employee had accessed patient records “outside of the employee’s job responsibilities.” The employee was terminated the next day. “Once Nebraska Medicine became aware of the incident, our staff took action to investigate, prevent further improper access and to notify affected patients,” a spokesperson told Threatpost. After further investigation, the company determined that the unauthorized access occurred between July 11, 2018 and Oct. 1, 2019, and that the employee was able to view some patients’ medical records. The information that was viewed may have included patients’ demographic information (such as name, address, date of birth, medical record number, Social Security number, license number); and clinical information, such as physician notes, laboratory results or imaging data. Nebraska Medicine did not comment on how many patients were affected. Despite stressing that it has “no reason to believe the information accessed has been or will be misused,” the healthcare provider is offering free credit monitoring for a year for patients whose…

Source